Facebook disrupts cryptocurrency-mining botnet Lecpetex

Lecpetex attackers may have infected up to 250,000 computers, Facebook revealed.

Facebook has teamed with law enforcement to disrupt malicious operations linked to "Lecpetex," a cryptocurrency-mining botnet composed of up to 250,000 infected computers worldwide.

On Tuesday, the social networking service detailed its takedown efforts in a security section on its website. Lecpetex operators spread two malicious payloads, according to Facebook, a remote access trojan (RAT) called "DarkComet" and Litecoin mining software.

The botnet, which primarily impacted Greece, Poland, Norway, India, Portugal, and the U.S., also made use of a Facebook spamming module, the company revealed. Between December and June, botnet operators "launched more than 20 distinct waves of spam" at users, Facebook alleged.

Malware was delivered to victims via spam messages with malicious zip file attachments. After the malicious payload was executed, the compromised computer would begin Litecoins, and also start Facebook spamming other users, repeating the cycle, the company revealed.

"[The] Facebook spamming module hijacks a person's account by stealing cookies from their browser, using that access to obtain the victim's friend list, and sending private messages to each friend with a zip file containing malware," the post on Facebook's site said.

In the last seven months, Lecpetex operators used varying social engineering ruses, which entailed JAR files, visual basic scripts (VBS), zip files and Microsoft Cabinet files (CAB), sent with short messages like, "lol," to victims.

"The operators put significant effort into evading our attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail. The files used in the spam messages were also refreshed frequently to evade anti-virus vendor detection," Facebook said.

Back in late April, Facebook brought the case to Greek police, and by early July, law enforcement announced that two suspects linked to the operations had been arrested.

In its write up, Facebook also revealed bot commands used by attackers, as well as command-and-control server IP addresses and disposable email services, like dispostable.com, that were leveraged by scammers.

The company emphasized that "traditional protections such as anti-virus" alone, were no match for Lecpetex operators, who had a “good understanding of anti-virus evasion."

In Wednesday email correspondence with SCMagazine.com, Sarah Isaacs, CEO of Chicago-based Conventus and expert in AV theory and technology, added that AV, on its own, "hasn't been a viable solution for quite awhile," considering the speed in which malware variants proliferate.

James Foster, CEO of ZeroFOX, a social risk management firm in Baltimore, added that the Lecpetex case illustrates how attackers have simply moved from using email platforms, over the years, to distributing malware via popular social media channels.

"In the Lecpetex case, the targets of the compromised machines replicated themselves through social media channels by sending trusted, private notes to their friends," Foster wrote in an email to SCMagazine.com. "In some cases, their friends were asked to visit malicious sites and in others they were asked to download malware. Rewind 14 years and you will find the same approach was taken with the ILOVEYOU virus ...however, the channel for distribution was email," he said.

Get SC Media delivered to your inbox

Whitepaper of the Day

Newswire

Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.